A new startup in Dubai is offering six and seven figure payouts for zero-day exploits for Android, iOS, Windows and Mac.

A new startup is offering up to $3 million dollars for tools to hack into Android and iOS devices, the highest public price offered for such tools.

The startup is called Crowdfense and is based in the United Arab Emirates. In an unusual move in the normally secretive industry of so-called zero-days, Crowdfense sent out a press release to reporters on Tuesday, advertising what it calls a bug bounty.

Crowdfense’s director Andrea Zapparoli Manzoni told me that he and his company are trying to join that market, purchasing zero-days from independent researchers and then selling them to law enforcement and intelligence agencies.

“When I think about government agencies I don’t think about the military part, I think about the civilian part, that works against crime, terrorism, and stuff like that,” Zapparoli told me in a phone interview. “We only focus on tools aimed at doing activities of law enforcement or intelligence, not aimed at destroying or deteriorating the functionality and effectiveness of the target systems—but only aimed at collecting intelligence.”

The company is only looking for zero-day exploits for Windows, MacOS, iOS, and Android. It’s not interested in exploits for Internet of Things devices, critical infrastructure, telecom companies, or popular sites such as Facebook, according to Zapparoli.

A graphic of the exploits Crowdfense is looking for, and the respective payouts. (Image: Crowdfense)

Crowdfense is trying to do things in different ways, “with the maximum possible transparency,” he said. Zapparoli said he doesn’t want to repeat the same mistakes that other companies in this industry did in the past, and specifically mentioned Hacking Team, an Italian vendor of spyware that’s infamous for selling hacking and surveillance tools to oppressive governments.

“Vetting customers is the most delicate part of our whole activity,” Zapparoli said.

For now, however Zapparoli didn’t specify exactly how the company is doing the vetting or who it’s working with. He said Crowdfense is willing to sell only to “very few” customers if that’s what they need to do to make sure their hacking tools don’t end in the wrong hands. He said that in the future it might publish best practices and standards on how it vets customers but for now, it will “self-regulate.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

The local government of the UAE has authorized Crowdfense to open shop in Dubai, Zapparoli said.

“When we have to sell outside of the UAE, normally there are no objections,” Zapparoli said.

Zapparoli also said that the company will take into consideration the controversial Wassenaar international arrangement, which regulates so-called “dual-use” technologies. That is, tools that can be used both in times of peace and war. Some countries that are part of the arrangement (the UAE is not part of it) consider certain zero-days as dual-use items. Zapparoli said it will be up to the researchers who sell their exploits to Crowdfense to abide by the arrangement.

The company has a budget of $10 million for this “bug bounty.” Its backers, for now, are also secret. Zapparoli declined to specify who invested in the company.

Desautels said that Crowdfense’s price list is in line with the market. He mentioned that before he quit the zero-day industry, he brokered the sale of an iOS zero-day that went for $4 million. But he’s skeptical of the business model. For Crowdfense to make it work, it will have to resell the same capabilities to multiple customers, he said, which could lead to problems.

The market, however, is there.

"When you're talking about iOS and Android devices, those kinds of targets, you're talking about real operational interests,” he told Motherboard in a phone call. “You have a need, you have somebody who's on the move that has a phone and you need to track who this person is. You need something you can tie directly to a person. That's when you spend that kind of money."

Correction: A previous version of this story quoted Zapparoli saying the UAE authorized Crowdfense to sell hacking tools. Zapparoli said that the government only authorized the company to set up shop in Dubai, not to sell zero-days, as there's no need for that authorization.